Note For complete syntax and usage information for the switch commands used in this chapter, first look at the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location:
The web-based authentication feature, known as Web Authentication Proxy, enables you to authenticate end users on host systems that do not run the IEEE 802.1X supplicant.
Note You can configure web-based authentication on Layer 2 and Layer 3 interfaces.
When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the user. The user keys in their credentials, which the web-based authentication feature sends to the AAA server for authentication:
If authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server.
If authentication fails, web-based authentication forwards a Login-Fail HTML page to the user, prompting the user to retry the login. If the user exceeds the maximum number of attempts, web-based authentication forwards a Login-Expired HTML page to the host and the user is placed on a watch list for a waiting period.
These sections describe the role of web-based authentication as part of the authentication, authorization, and accounting (AAA) system:
With web-based authentication, the devices in the network have specific roles (Figure 48-1).
Figure 48-1 Web-Based Authentication Device Roles
The roles are as follows:
Client—The device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running an HTML browser with Java Script enabled.
Authentication server—Performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch that the client is authorized to access the LAN and switch services or that the client is denied.
Switch —Controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
The switch maintains an IP device tracking table to store information about detected hosts.
Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.
For Layer 3 interfaces, web-based authentication sets an HTTP intercept ACL when the feature is configured on the interface (or when the interface is put in service).
For Layer 2 interfaces, web-based authentication detects IP hosts using the following mechanisms:
ARP-based trigger—ARP redirect ACL allows web-based authentication to detect hosts with static IP address or dynamically acquired IP address.
Dynamic ARP inspection (DAI)
DHCP snooping—Web-based authentication is notified when the switch creates a DHCP binding entry for the host.
When web-based authentication detects a new host, it creates a session as follows:
Checks for Auth bypass
If the host IP is not on the exception list, web-based authentication sends a nonresponsive host (NRH) request to the server.
If the server response is Access Accepted, authorization is bypassed for this host. The session is established.
Sets up the HTTP Intercept ACL
If the server response to the NRH request is Access Rejected, the HTTP intercept ACL is activated and the session waits for HTTP traffic from the host.
When you enable web-based authentication, the following events occur:
The user initiates an HTTP session.
The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the user. The user enters a username and password on the login page, and the switch sends the entries to the authentication server.
If the client identity is valid and the authentication succeeds, the switch downloads and activates the user’s access policy from the authentication server. The login success page is sent to the user.
If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum number of attempts fails, the switch sends the login expired page and the host is placed in a watch list. After the watch list times out, the user can retry the authentication process.
The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface, or the host does not send any traffic within the idle timeout on a Layer 3 interface.
The feature applies the downloaded timeout or the locally configured session timeout.
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server.
If the terminate action is default, the session is dismantled and the applied policy is removed.
Customization of the Authentication Proxy Web Pages
During the web-based authentication process, the internal HTTP server of the switch hosts four HTML pages for delivery to an authenticating client. The four pages allow the server to notify you of the following four states of the authentication process:
Login—Your credentials are requested.
Success—The login was successful.
Fail—The login failed.
Expire—The login session has expired because of excessive login failures.
Note When your customized web-based authentication page is replaced with a new page (file) of the same name in the switch system directory (i.e. flash), the new page will not be seen; you will see the older page. Beginning with Release 15.0(2)SG, the new page will not display until you enter the ip admission proxy http refresh-all command.
In Cisco IOS Release 12.2(50)SG, you can substitute your custom HTML pages for the four default internal HTML pages, or you can specify a URL to which you are redirected upon successful authentication, effectively replacing the internal Success page.
Web-Based Authentication Interactions with Other Features
These sections describe web-based authentication interactions with these features:
You can configure web-based authentication and port security on the same port. (You configure port security on the port with the switchport port-security interface configuration command.) When you enable port security and web-based authentication on a port, web-based authentication authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network using the port.
You can configure LAN port IP (LPIP) and Layer 2 web-based authentication on the same port. The host is authenticated using web-based authentication first, followed by LPIP posture validation. The LPIP host policy overrides the web-based authentication host policy.
If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated and posture is validated again.
You cannot configure Gateway IP on a Layer 3 VLAN interface if web-based authentication is configured on any of the switch ports in the VLAN.
You can configure web-based authentication on the same Layer 3 interface as Gateway IP. The host policies for both features are applied in software. The GWIP policy overrides the web-based authentication host policy.
If you configure a VLAN ACL or Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied.
For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port. After authentication, the web-based authentication host policy overrides the PACL.
You cannot configure a MAC ACL and web-based authentication on the same interface.
You cannot configure web-based authentication on a port whose access VLAN is configured for VACL capture.
Context-Based Access Control
Web-based authentication cannot be configured on a Layer 2 port if context-based access control (CBAC) is configured on the Layer 3 VLAN interface of the port’s VLAN.
You cannot configure web-based authentication on the same port as 802.1X authentication except as a fallback authentication method.
You can configure web-based authentication on a Layer 2 EtherChannel interface. The web-based authentication configuration applies to all member channels.
On Catalyst 4500 series switches with redundant supervisor engines in RPR mode, information about currently authenticated hosts is maintained during a switchover. You do not need to reauthenticate.
Configuring Web-Based Authentication
These sections describe how to configure web-based authentication:
Web-Based Authentication Configuration Guidelines and Restrictions
When configuring web-based authentication, consider these guidelines and restrictions:
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
The first attribute, priv-lvl=15, must always be set to 15. This sets the privilege level of the user who is logging into the switch.
The second attribute is an access list to be applied for web-authenticated hosts. The syntax is similar to 802.1x per-user access control lists (ACLs). However, instead of ip:inacl, this attribute must begin with proxyacl, and the source field in each entry must be any. (After authentication, the client IP address replaces the any field when the ACL is applied.)
proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit ip any 126.96.36.199 255.255.0.0
proxyacl# 30=permit udp any any eq syslog
proxyacl# 40=permit udp any any eq tftp
Note The proxyacl entry determines the type of allowed network access.
Web-based authentication is an ingress-only feature.
You can configure web-based authentication only on access ports. Web-based authentication is not supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
You must configure the default ACL on the interface before configuring web-based authentication. Configure a port ACL for a Layer 2 interface, or a Cisco IOS ACL for a Layer 3 interface.
On Layer 2 interfaces, you cannot authenticate hosts with static ARP cache assignment. These hosts are not detected by the web-based authentication feature, because they do not send ARP messages.
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to use web-based authentication.
You must configure at least one IP address to run the HTTP server on the switch. You must also configure routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.
Hosts that are more than one hop away may experience traffic disruption if an STP topology change results in the host traffic arriving on a different port. it is because ARP and DHCP updates may not be sent after a Layer 2 (STP) topology change.
Web-based authentication does not support VLAN assignment as a downloadable host policy.
Cisco IOS Release 12.2(50)SG supports downloadable ACLs (DACLs) from the RADIUS server.
Web-based authentication is not supported for IPv6 traffic.
Web-Based Authentication Configuration Task List
To configure the web-based authentication feature, perform the following tasks:
Configures the authorization and encryption key used between the switch and the TACACS server.
This example shows how to enable AAA:
Switch(config)# aaa new-model
Switch(config)# aaa authentication login default group tacacs+
Switch(config)# aaa authorization auth-proxy default group tacacs+
Configuring Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by one of the following:
Host IP address
Host name and specific UDP port numbers
IP address and specific UDP port numbers
The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service (for example, authentication) the second host entry that is configured functions as the failover backup to the first one. The RADIUS host entries are chosen in the order that they were configured.
To configure the RADIUS server parameters, perform this task:
Switch(config)# ip radius source-interface interface_name
Specifies that the RADIUS packets have the IP address of the indicated interface.
Switch(config)# no ip radius source-interface
Prevents the RADIUS packets from having the IP address of the previously indicated interface.
Specifies the number of unanswered transmits to a RADIUS server before considering the server to be inactive. The range of num-tries is 1 to 100.
When you configure the RADIUS server parameters, follow these steps:
Specify the key string on a separate command line.
For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.
When you specify the key string, use spaces within and at the end of the key. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers with the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands. For more information, see the URL:
Note You need to configure some settings on the RADIUS server, including: the IP address of the switch, the key string to be shared by both the server and the switch, and the downloadable ACL (DACL). (Cisco IOS Release 12.2(50)SG supports DACLs.) For more information, see the RADIUS server documentation.
This example shows how to configure the RADIUS server parameters on a switch:
Switch(config)# ip radius source-interface Vlan80
Switch(config)# radius-server host 172.l20.39.46 test username user1
To use web-based authentication, you must enable the HTTP server within the switch. You can enable the server for either HTTP or HTTPS.
To enable the server, perform one of these tasks:
Switch(config)# ip http server
Enables the HTTP server. The web-based authentication feature uses the HTTP server to communicate with the hosts for user authentication.
Switch(config)# ip http secure-server
Starting with Cisco IOS Release 12.2(50)SG, you can optionally configure custom authentication proxy web pages or specify a redirection URL for successful login, as described in the following sections: